add links to docs explaining motivations behind neverallow assertions. Test: comments only. Policy compiles. Change-Id: Ic51533d37fff6c553950a122f33a48e3c119c67c

commit: 6cf9160e8299687a73a48dbb5d4e0f8beb8c2aa2 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Wed Sep 12 15:41:54 2018 -0700
committer: Nick Kralevich <nnk@google.com> Wed Sep 12 15:53:48 2018 -0700
tree: 96c56a11430098152fa146326484ed6473ee52fe
parent: e64414ef816e3f45a59523efaed7cb4583b56bec [diff] [blame]
diff --git a/private/system_server.te b/private/system_server.te
index 750ee3e..de62eef 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -880,7 +880,8 @@
 neverallow system_server dex2oat_exec:file no_x_file_perms;
 
 # system_server should never execute or load executable shared libraries
-# in /data
+# in /data. Executable files in /data are a persistence vector.
+# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
 neverallow system_server data_file_type:file no_x_file_perms;
 
 # The only block device system_server should be accessing is
@@ -889,6 +890,8 @@
 neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;
 
 # system_server should never use JIT functionality
+# See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html
+# in the section titled "A Short ROP Chain" for why.
 neverallow system_server self:process execmem;
 neverallow system_server ashmem_device:chr_file execute;
commit	6cf9160e8299687a73a48dbb5d4e0f8beb8c2aa2	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Wed Sep 12 15:41:54 2018 -0700
committer	Nick Kralevich <nnk@google.com>	Wed Sep 12 15:53:48 2018 -0700
tree	96c56a11430098152fa146326484ed6473ee52fe
parent	e64414ef816e3f45a59523efaed7cb4583b56bec [diff] [blame]